NIST plans to review references in the document to ensure they are current, and per user requests, is considering clarifying the framework’s Implementation Tiers, a mechanism for organizations to gauge their approach to managing cyber security risk. NIST may also add guidance for applying the framework for supply chain risk management.

The need to refine and clarify small portions of the framework was evident in comments received through a December 2015 Request for Information and an April 2016 workshop that included 800 participants from industry, government and academia.

“We are working from all of the feedback we’ve received since the framework was published on its use, best practices, outreach, prospective updates and governance,” said Matthew Barrett, NIST Cybersecurity Framework program manager. “The minor updates we have planned for the framework should not disrupt anyone’s ongoing framework use.”

Stakeholder feedback called for other actions that NIST will undertake, such as:
• Publish a governance process that outlines the process of framework maintenance and evolution and defines the role of stakeholders and how they will continue to work together in the future
• Remain as convener of framework stakeholders
• Continue framework outreach and focus on international, small and medium-sized businesses and regulators

NIST is also developing a tool to help an organization assess its cyber security risk management process. The Cybersecurity Excellence Builder will end up based on the Cybersecurity Framework and key concepts from the Baldrige Performance Excellence Program.